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Abstract. The authors' ATR programming formaUsm is a version of call-by-value PCF under a 
complexity-theoretically motivated type system. ATR programs run in type-2 polynomial-time and 
all standard type-2 basic feasible functionals are ATR-definable (ATR types are confined to levels 0, 
1, and 2). A limitation of the original version of ATR is that the only directly expressible recursions 
are tail-recursions. Here we extend ATR so that a broad range of affine recursions are directly 
expressible. In particular, the revised ATR can fairly naturally express the classic insertion- and 
selection-sort algorithms, thus overcoming a sticking point of most prior implicit-complexity-based 
formalisms. The paper's main work is in refining the original time-complexity semantics for ATR 
to show that these new recursion schemes do not lead out of the realm of feasibility. 

1. Introduction 
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1.1. Feasible programming and AfRne Tiered Recursion. As Hofmann [1^ has noted, a 
problem with implicit characterizations of complexity classes is that they often fail to capture 
■ many natural algorithms — usually because the complexity-theoretic types used to control primitive 

^ 1 I recursion impose draconian restrictions on programming. For example, in Bellantoni and Cook's 

0] and Leivant's [13] well-known characterizations of the polynomial-time computable functions, a 
O . value that is the result of a recursive call cannot itself be used to drive a recursion. But, for instance, 

the recursion clause of insertion-sort has the form ins_sort(cons(a, /)) = insert(a, ins_sort(/)), where 
CN ' insert is defined by recursion on its second argument; selection-sort presents analogous problems. 

^ , Hofmann [13 . fill addresses this problem by noting that the output of a non-size-increasing 

' program (such as ins_sort) can be safely used to drive another recursion, as it cannot cause the 

00 ■ sort of complexity blow-up the B-C-L restrictions guard against. To incorporate such recursions, 

I Hofmann defines a higher-order language with typical first-order types and a special type through 

which functions defined recursively must "pay" for any use of size-increasing constructors, in eff'ect 
guaranteeing that there is no size increase. Through this scheme Hofmann is able to implement 
I many natural algorithms while still ensuring that any typable program is non-size-increasing poly- 

nomial-time computable (Aehlig and Schwichtenberg []| sketch an extension that captures all of 
polynomial-time). 

^ ' Our earlier paper [1,0], hereafter referred to as ATS, takes a different approach to constructing a 

. usable programming language with guaranteed resource usage. ATS introduces a type-2 program- 

ming formalism called ATR, for Affine Tiered Recursion, based on call-by-value PCF for which the 
underlying model of computation (and complexity) is a standard abstract machineOj ATR's type 
system comes in two parts: one that is motivated by the tiering and safe/normal notions of [17] 
and [3'] and serves to control the size of objects, and one that is motivated by notions of affine- ness 
that serves to control time. Instead of restricting to primitive recursion, ATR has an operator for 
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"'^In our earlier |8(| ATR stood for Affine Tail Recursion; we re-christened it in 
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recursive definitions; affine types and explicit clocking on the operator work together to prevent 
any complexity blow-up. In ATS we give a denotational semantics to ATR types and terms in 
which the size restrictions play a key part. This allows us, for example, to give an ATR definition 
of a primitive-recursion-on-notation combinator (without explicit bounding terms) that preserves 
feasibility. We also give a time- complexity semantics and use it to prove that each type-2 ATR 
program has a (second-order) polynomial run-time0 Finally, we show that the type-2 basic feasible 
functionals (an extension of polynomial-time computability to type-2) of Mehlhorn p3] and Cook 
and Urquhart [7] are ATR definable. However, the version of ATR defined in ATS is still somewhat 
limited as its only base type is binary words and the only recursions allowed are tail-recursions. 

1.2. What is new in this paper. In this paper we extend ATR to encompass a broad class 
of feasible affine recursions. We demonstrate these extensions by giving fairly direct and natural 
versions of insertion- and selection-sorts on lists (Section [3]11 as well as the primitive-recursion-on- 
notation combinator (in Section [6]). As additional evidence of ATR's support for programming we 
do not add lists as a base type, but instead show how to implement them over ATR's base type of 
binary words. 

The "two algorithms" of the title should not be interpreted as referring to insertion- and selection- 
sort, but rather the recursion schemes that those two algorithms exemplify. Most implicit charac- 
terizations restrict to structural recursion, resulting in somewhat ad-hoc implementations of other 
kinds of recursion by simulation. We chose insertion- and selection-sort for our prime examples 
in this paper because they embody key forms non-structural one-use recursion; we capture these 
key forms in what we call plain affine recursion. We feel that by handling any plain affine re- 
cursive program, we have shown that our system can deal with almost all standard feasible linear 
recursions. 

The technical core of this paper is the extension of the Soundness Theorem from ATS (which 
handled only tail recursions) to the current version of ATR. After defining an evaluation semantics 
in Section [2] and surveying and simplifying the time- complexity semantics of ATS in Section HI we 
introduce and prove the Soundess Theorem for plain affine recursions in Section [5l In Section [6] we 
use the Soundness Theorem to relate ATR-computable functions to the type-2 basic feasible func- 
tions. Since plain affine recursions include those used to implement lists and the sorting algorithms, 
this significantly extends our original formalism to the point where many standard algorithms can 
be naturally expressed while ensuring that we do not leave the realm of type-2 feasibility (and in 
particular, polynomial-time for type 1 programs). 

With the exception of the (Shift) typing rule, we provide full definitions of all terms in this 
paper, and we believe that it can be understood on its own. However, the paper is not entirely 
self-contained: some of the proofs are adaptations of corresponding proofs in ATS, and in those 
cases we refer the reader to that paper for details. 

1.3. Acknowledgment. Part of the motivation for this paper was a challenge to give natural 
versions of insertion-, selection-, and quick-sorts within an implicit complexity formalism issued by 
Harry Mairson in a conversation with the second-author. 

2. The ATR formalism 



These kinds of results may also have applications in the type of static analysis for time-complexity that Fred- 
eriksen and Jones [13] investigate. 
■^We discuss quick-sort in Section [T] 
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2.1. Types, expressions, and typing. An ATR base type has the form N^, where labels L are 
elements of the set (DO)* U 0(^0)* (our use of is unrelated to Hofmann's); the intended inter- 
pretation of Nl is =df {0, 1}*. The labels are ordered by e < < □<> < ODO < • • • • We define 
a subtype relation on the base types by <: N^,' if L < L' and extend it to function types in the 
standard way. Roughly, we can think of type-N^ values as basic string inputs, type-N<;) values as 
the result of polynomial-time computations over N^-values, type-N^^-values as the result applying 
an oracle (a type-1 input) to N^-values, type-N^n^ values as the result of polynomial-time compu- 
tations over N^^-values, etc. To make an analogy with the safe/normal distinction of Bellantoni 
and Cook [3], oracular types correspond to normal arguments and computational types correspond 
to safe arguments (once we apply an oracle, we "reset" our notion of what constitutes potentially 
large data — but we do not "flatten" the notion by having one oracular and one computational 
type). ATR's denotational semantics works to enforce these intuitions. Nj;, is called an oracular 
(respectively, computational) type when L G (DO)* (respectively, 0(00)*)- We let b (possibly 
decorated) range over base types. Function types are formed as usual from the base types. We 
sometimes write (fJi, . . . , 0"^) ^ a or a —> cr for cii ^ cjfc ^ o". 

Definition 1. For any type a define tail{a) by tail{b) = b and tail{a — > r) = tail{T). 

Definition 2. A type a is predicative when c is a base type or when (T = (Ti— >---^(Tfc— >Ni 
and tail{ai) <: N/, for all i. A type is impredicative if it is not predicative. A (function) type 
(Ti ^ • • • ^ (Tfc — > is flat if tail{(Ti) = N/, for some i. A type is strict if it is not flat. 

The interpretation of the arrow types entails a significant amount of work in the semantics, 
which we do in ATS. Very briefly, our semantics takes seriously the size information implicit in the 
labeled base types. In particular, the full type structure is "pruned" to create what we call the 
well-tempered semantics so that the function spaces of flat and impredicative types consist only of 
functions with appropriate growth rates. The relevant points are the following: 

(1) If / : ((Ti, . . . , CTfc) — > b and b <: tail{ai), then |/| is bounded by a safe polynomial (see 
Definition [6]) , where |/| measures the growth rate of / and is defined in Definition 1141 

(2) As a special case of the previous point, if / : (cJi, . . . ,0"^) — > b and b <: tail{ai), then |/| is 
independent of its i-th argument. 

(3) Recursive definitions in ATR typically have flat types; the restriction on growth rates ensures 
that such recursively-defined functions do not lead us out of the realm of feasibility. 

As this paper is concerned primarily with syntactic matters (extending the allowable forms of 
recursions), we do not go into full details of the denotational semantics here, instead referring the 
reader to Sections 6-9 of ATS. 

The ATR expressions are defined in Figured! We use v, x, y, z for variables, a for elements of K, 
a, (3 for oracles, and t for expressions (all possibly sub- and super-scripted and with primes). We 
can think of oracle symbols as external function calls. Formally, they are constant symbols for 
elements of the ATR-type structure with type-level 1; as such, each oracle symbol is assumed to 
be labeled with its type, which we write as a superscript when it needs to be indicated]^ The 
more-or-less typical expression-forming operations correspond to adding and deleting a left-most 
bit (co, Ci, and d), testing whether a word begins with a or a 1 (to and ti), and a conditional. 
The intended interpretation of down s t is a length test that evaluates to s when |s| < |t| and e when 
|s| > \t\. The recursion operator is crec, standing for clocked recursion. In Section [3] we present 
several sample ATR programs. 



As a constant, an oracle symbol is closed, and we will suppress the interpretation of oracle symbols in the 
semantics. 
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K ::= {0,1}* 

E::=V \ 0\K\ XV.E \ EE 

\coE \ciE \dE \toE \tiE \\f E then E else E 
I down^£; I crecK{XrV.E) 

Figure 1. ATR expressions, y is a set of variable symbols and O a set of oracle symbols. 

The typing rules are given in Figure [2j Type contexts are split into intuitionistic and affine zones 
as with Barber and Plotkin's DILL When we write Aq U Ai we implicitly assume that the 
environments are consistent (i.e., assign the same type to variables in Dom AoflDom Ai) and when 
we write Ao,Ai we implicitly assume that the environments have disjoint domains. Variables in 
the intuitionistic zone correspond to the usual — > introduction and elimination rules and variables 
in the affine zone are intended to be recursively defined; variables that occur in the affine zone are 
said to occur affinely in the judgment. The crec-I rule serves as both introduction and elimination 
rule for the implicit —o types (in the rule b = bi, . . . , bfc and v : h stands for fi : bi, . . . , "Ufc : b^). 
We use A,, as the abstraction operator for variables introduced from the affine zone of the type 
context to further distinguish them from intuitionistic variables. The typing rules enforce a "one- 
use" restriction on affine variables that we discuss in Section [5.11 Forbidding affine variables in the 
conditional test is primarily a convenience and can be easily worked around with let-bindings. Two 
of the inference rules come with side-conditions: 

(crec-I) side-condition: If bj <: bi then bj is oracular (including i = 0). 

(^-E) side-condition: At most one of Aq and Ai is non-empty, and if Ai is non-empty 
then o" is a base type. 

Recalling our analogy of oracular types with normal arguments, the (crec-I) side-condition says that 
the clock bound (the first argument in a recursive definition) is normal and its size only depends 
on normal data. Thus, while the clock bound can be changed during a recursive step, this change 
is well-controlled. This is the core of the Termination Lemma (Theorem llSp. in which we prove a 
polynomial size-bound on the growth of the arguments to /, which in turn allows us to prove such 
bounds on all terms. The intuition behind the (— ^-E) side-condition is that an affine variable / may 
occur in either the operator or argument of an application, but not both. Furthermore, if it occurs 
in the argument, then it must be a "completed" application in order to prevent the operator from 
duplicating it (our call-by-value semantics will thus recursively evaluate this complete application 
once and then plug the result into the operator). 

The intuition behind the shifts-to relation oc between types is as follows. Suppose / : — > N<). 
We think of / as being a function that does some polynomial-time computation to its input. If 
we have an input x of type Nq^ then recalling the intuition behind the base types, we should 
be able to assign the type N^q^ to /(x). The shifts-to relation allows us to shift input types 
in this way, with a corresponding shift in output type. As a concrete example, the judgment 
/ : — > N(),x : N^;!- f{fx) : ^ooo is derivable using (Subsumption) to coerce the type of f{x) to 
Nqo and (Shift) to shift the type of the outer application of / to Nq^ — > Noq^. The definition 
of oc must take into account multiple arguments and level-2 types, and it must preserve certain 
relationships between input and output types (for example, shifting must "preserve flatness" in the 
sense that if t:a^T, tail{a) = tail{T), and a^r oc o"'— >t', then tail{a') = tail(T')). Our examples 
in this paper (implementing lists and sorting) do not make use of the (Shift) rule, so in order to 
not distract the reader from our main theme, we direct him or her to ATS for the full definition. 
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Zero-I -p . |_ rr— Const-I -p . , r-. — Oracle-I -p » i — ^ 

i;AI-e:N£ i;AI-a:N<;) L;/\\-a .a 

Int-Id-I -p 1;— Aff-Id-I -f^-r r 

L ,v : a; A \- V : a L ; A,v : a \- v : a 

T; \-s:a . , ^, . T; A h s : a , ^ , 

Shift — ] [a (XT) Subsumption [cr <: t) 

i;_Hs:r i; Ah s : t 

T;Ahs:N^, , ^ T; A h s : T; A h s : 



r;Ah (cas):No, " " T; A h d s : r;AhtaS:NL 
r;Ahs:Ni, r;_ht:Ni, 



down-I 

if-I 



T; A h (down st) : Nl^ 
r;_hs:NL r;Aohto:NL, T; Ai h ti : N^/ 



r; Ao U Ai h (if s then to else ti) : N^/ 
_;_ha:No T, w : b; / : b ^ bo h f : bo 



crec-I 



T; _ h crec a {Xrf.Xv.t) : b — > bo 



T,v : a;A\- t : T T; Aq h s : cj — > t F; Ai h t : cr 

-E ■ 



T;Ah{Xv.t):a^T T; Aq, Ai h (st) : r 

Figure 2. ATR typing. See the discussion for side-conditions on (crec-I) and (— >-E), 
the definition of oc, and differences between the formahsm presented here and in ATS. 

Changes from ATS. The system we present here differs from the one given in ATS in the following 
ways: 

(1) ATS did not restrict (Shift) to have empty affine zone. This restriction is crucial in our 
discussion of plain affine recursion in Section 15. li Furthermore, we know of no natural 
examples in which this constraint is violated. As (Shift) provides a kind of limited poly- 
morphism, this restriction is similar to the restriction in ML that polymorphism is disabled 
in recursive definitions (see Milner et al. [l^ and Pierce pol . Page 338]). 

(2) ATS imposed no constraint on bo in (crec-I). Again, we know of no natural programs in 
which this constraint is violated. 

(3) ATS restricted (d-I) and (ta-I) to computational types. There was no real need for this, as 
these term constructors represent operations that are not size-increasing. 

(4) ATS restricted (crec-I) to tail-recursion. Of course, this is the major improvement of the 
current work. 

(5) ATS did not allow affine variables in the argument of (^-E). This is another non-trivial 
improvement of the current work. 



2.2. Operational semantics. Motivated by the approach of Jones [iJ], we define the cost of 
computing a program to be the cost of a call-by-value evaluation derivation!! The evaluation 
relation J, relates closures to values, which are inductively defined as follows^ 

(1) A closure (F; A h t : t)p consists of a term F; A h t : r and a (F, A, t)-environment p. We 
shall always drop reference to the explicit typing and talk of closures tp. 



^In ATS we give an abstract machine semantics based on defunctionalized continuations; see Appendix |X] for a 
proof of the equivalence between that semantics and the one we present here. 

^If one is only interested in computing, then the typing information in the following definitions can be dropped. 
However, we will address properties of closures that arise from terms (specifically, bounds on the cost of evaluation) 
and will need to make use of that typing information, so we include it here. 
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(2) A (r, A, t)- environment p is a finite map from variables to extended values such that fv(t) C 
Dom (r, A), fv(t) C Dom p and if x € fv(t) and (x : a) G (F, A) then p{x) is of type a. The 
empty environment is denoted []Q 

(3) A value z6 is a closure in which z is either a string constant, oracle, or abstraction. 

(4) An extended value z6 is a closure that is a value or has z = crec a (Xrf.Xv.t) for some string 
constant a, variables / and v, and term t. 

For an environment p, p[x i— > z9] is the environment that is the same as p on variables other 
than X, and maps x to z6. We write p[xi, . . . ,Xn ^ zi6i, . . . , ZnOn] for the obvious simultaneous 
extension, and often abbreviate this by p[x i— > z9] or p[xi i— > ZiOi], where in the latter i has a 
range that should be clear from context. We will also occasionally write p[xi^^j i— > 2;i..j0i..j] for 

p^Xi^ . . . , Xj I > ZiOi^ • • • ; ^j^j]' 

The evaluation relation tp J, z9 is defined in Figure [3l It is a fairly standard call-by-value 
operational semantics; we just make a few points about some of the rules: 

• Because environments may assign crec terms to variables, we cannot assume that p{x) is a 
value in (Env). However, we note that p{x) J, z9 is an instance of either the (Val) or (crec) 
axioms. 

• In the (crec) rule, "[a| < \vi\'' is shorthand for down(co a)(co f i). 

• In the (dowrij) rules, and at are string constants, so the length comparison makes sense. 
Our cost model will take into account the actual cost of the length comparison. 

• Recalling that oracles name type-1 functions and that the only type-0 values are string 
constants, the evaluation rules Oq and Oi say to treat multiple-argument oracles as though 
they are in curried form, returning the curried oracle result until all arguments have been 
provided. 

The cost of a derivation is the sum of the costs of the rules. All rules have cost 1 except: 

• (Env): if z is a string constant this rule has cost 1 V \z\; otherwise if z is an abstraction or 
oracle, this rule has cost 1. This reflects a length-cost model of accessing the environment, 
where string constants are copied into memory bit-by-bit, but higher-type values are simply 
stored in memory as references. 

• (dowrij): the cost of this rule is 2\at\ + 1. This reflects the cost of comparing and at 
bit-by-bit to determine which is longer. 

• (Oq): the cost of this rule is lV|a'|, similar to accessing a base-type value in the environment. 

• (Oi): the cost of this rule is 1, similar to accessing a higher-type value in the environment. 

Definition 3. cost{tp) is defined to be the cost of the evaluation derivation of tp. We write tp in z6 
to indicate that tp | z9 and cost{tp) < n. 

A priori cost{tp) may be infinite, as there may not be an evaluation derivation of tp. Intuitively 
the problem may be that the "clock" \vi\ in the (crec) rule may be increased during the recursive 
call, thus leading to a non-terminating recursion. The main work of this paper to show that cost{tp) 
is always finite and in fact second-order polynomially bounded. 

3. Programming in ATR 

To illustrate ATR programming we give a data-type implementation of lists of binary strings and 
then present versions of insertion- and selection-sort using this implementation. These programs 
are fairly close to straightforward ML for these algorithms, with a few crucial differences discussed 



The only reason for including t in this definition is so that if t is a closed term with a typing that happens to 
have a non-empty environment, we can still form the closure 
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Val — TTi — TT (•2^' a value) 
zd i zO 



(crec a{Xrf.Xv.t))p j (AiT.if |o| < |fi| then t else e)p[f i-^ crec{Oa) (Xrf.Xv.t)] 

p{x) i zO 



Env 



xp i z6 

(Cbs)pi (ba)0 ^ (cls)/9ie0 (d s)p i a6 

" ~? \ — i — pj- (a 7^ ba any a ) ti 



(tbs)pie[] (tbs)piO[ 
sp i fish's i 046*4 \as\ < \at\ 



downo 



downi 



(down s t)p [ QgOg 
sp I ttsOs tp [ atOt \as\ > \at\ 
(down I e[] 



jfp sp i aO' top i zO ^ sp i e9' tip [ z 



(if s then to else ti)p [ z9 (if s then to else ti)p [ z9 

sp i {Xx.s')9' tp i z"9" s'9'[x ^ z"9"\ j z9 



App- 



On 



{st)p i zQ 

sp i a^^^'^ff tp i a9 a{a) = a' 
ist)p I a'[] 



„ I a(bi,...,b.Hbg/ ^p^^o a{a) = a' 
{st)p [ a'W 

Figure 3. ATR evaluation. Note that in the Oi rules a is necessarily a string 
constant, hence 9 is irrelevant. 

below. Also, lists and both sorts nicely highlight various forms of affine recursion that we will need 
to treat in our analysis of the complexity properties of ATR programs. 

In these programs we use the ML notation fn x ^ . . . for A-abstraction. Also 
let val x=s in t end abbreviates (fn x^ t)s and letrec /=s in t end abbreviates t[/ 1— > 
crece(Ar./.s)]. 

We implement lists of binary words as concatenated self-delimiting strings. Specifically, we code 
the word w = bo . . . bk-i as s{w) = l^ol^i • • • Ibfc-iO and the list (tt;o, . . . , Wk-i) as s{wq) © • • • © 
s{'Wk-i), where © is the concatenation operation. Code for the basic list operations is given in 
Figure [H Note that the cons, head, and tail programs all use cons-tail recursion — that is, the 
application of the recursively-defined function is followed by some number of basic operations. 
Insertion-sort is expressed in essentially its standard form, as in Figure [5l This implementation 
requires another form of recursion, in which the complete application of the recursively-defined 
function appears in an argument to some operator. Selection-sort (Figure [6]) requires yet another 
form of recursion in which the complete application of the recursively-defined function appears in 
the body of a let-expression. All of these recursion schemes are special cases of what we call plain 
affine recursion, which we discuss in Section [5.11 

Our head and ins_sort programs use the down operator to coerce the type N(> to N^. Roughly, 
down is used in places where our type-system is not clever enough to prove that the result of a 
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val nil = £ : 

val cons : — > — > = 

fn x =^ letrec enc : — > — > No = 

fn 6 2/ ^ if y then if to(y) then ci(co(enc b (d y))) 
else Ci(ci(enc 6 (d y))) 
else Co{xs) 

in enc x x end 

val /lead : — > = 

fn xs =^ letrec dec : — > ^ = 
fn b ys ^ if ti(ys) then 

if to(d ys) then co{dec b (d(d(ys)))) else ci{dec b (d(d(ys)))) 
else £ 

in down {dec xs xs){xs) end 

val tail : ^ = 

fn xs =^ letrec strip : — > — = 

fn b ys ^ if ti(ys) then strip b d{d{ys)) else di{ys) 
in strip xs xs end 

Figure 4. The basic list operations in ATR. 

val insert : — ^ No = 

fn X xs ^ letrec ins : N^ — > N^ — > No = 
fn b ys ^ if ys then 

if leq X head{ys) then cons x ys 
else cons {head ys) {ins b { tail ys)) 
else cons x nil 
in ins xs xs end 

val ins-Sort : N^ — > No = 

fn xs =^ letrec isort : N^ — > N^ — > No = 

fn b ys = if ys then insert {head ys) (down {isort b { tail ys)) ys) else e 
in isort xs xs end 

Figure 5. Insertion-sort in ATR. The function leq tests two integers written in 
binary for inequahty; we leave its full definition as an exercise for the reader. 

recursion is of size no larger than one of the recursion's initial arguments; the burden of supplying 
these proofs is shifted off to the correctness argument for the recursion. A cleverer type system 
(say, along the lines of Hofmann's [ll|) could obviate many of these down's, but at the price of 
more complex syntax (i.e., typing), semantics (of values and of time-complexities), and, perhaps, 
pragmatics (i.e., programming). Our use of down gives us a more primitive (and intensional) system 
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val swap : — > Ng ^ = 

fn X xs ^ if leg x [head xs) then cons x xs 

else cons (head xs) (cons x ( tail xs)) 

val select : — > = 

fn xs =^ letrec sel iN^ ^ ^ = 

fn b ys ^ if tail{ys) then down (swap (head ys) (sel b ( tail ys))) ys 
else ys 
in sel xs xs end 

val seLsort : — > = 

fn xs =^ letrec ssor^ :Ne ^ ^ = 

fn b ys let val m = select ys in cons [head m) {ssort b ( tail m)) end 
in ssort xs xs end 

Figure 6. Selection-sort in ATR.. 

than found in pure implicit complexity!! but it also gives us a less cluttered setting to work out the 
basics of complexity-theoretic compositional semantics — the focus of the rest of the paper. Also, 
in practice the proofs that the uses of down forces into the correctness argument are for the most 
part obvious, and thus not a large burden on the programmer. 

4. Time-complexity semantics and soundness for non-recursive terms 

The key fact we want to establish about ATR and its operational semantics is that the cost of 
evaluating a term to a value is, in an appropriate sense, polynomially bounded. This section sets 
up the framework for proving this and establishes the result for non-recursive terms. 

The key technical notion is that of bounding a closure tp hy a time- complexity, which provides 
upper bounds on both the cost of evaluating tp to a value z6 as well as the potential cost of us- 
ing z9. The potential of a base-type closure is just its (denotation's) length, whereas the potential 
of a function / is itself a function that maps potentials p to the time complexity of evaluating / 
on arguments of potential p (more on this later — we give precise definitions in Section [4.ip . The 
bounding relation gives a time- complexity semantics for ATR-terms; a soundness theorem asserts 
the existence of a bounding time-complexity for every ATR term. In this paper, our soundness 
theorems also assert that the bounding time-complexities are safe (Definition [6|) , which in partic- 
ular implies type-2 polynomial size and cost bounds for the closure. We thereby encapsulate the 
Soundness, polynomial-size-boundedness, and polynomial-time-boundedness theorems of ATS (the 
value semantics for the meaning of ATR terms and corresponding soundness theorem are essentially 
unchanged) . 

4.1. Time-complexity semantics. Our prior discussion of ATR types and terms situated their 
semantics in the realm of values — i.e., 0-1-strings, functions over strings, functionals over functions 
over strings, etc. To work with time-complexities and potentials we introduce a new type system 
and new semantic realm for bounds. We will connect the realms of values and bounds in Definition [H 
where we introduce bounding relations. 



'Leivant's recursion under a high-tier bound [iTI . §3.1] implements a similar idea. 
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We start by defining cost, potential, and time- complexity types, all of which are elements of the 
simple product type structure over the time- complexity base types {T} U {T^ I L is a label}. The 
intended interpretation of these base types is the unary numerals and of product types the usual 
cartesian product. The arrow types are interpreted as the pointwise monotone non-decreasing 
functions and are further "pruned" analogously to the well-tempered semantics for ATR (see the 
discussion following Definition [2]) — for more details see Section 12 of ATS and in particular Defi- 
nition 49. 

We define a subtype relation on base types by T/, <: T^/ if L < L' and Tl <: T for all L, and 
extend it to product and function types in the standard way. The only cost type is T. For each 
ATR-type a we define the time- complexity type \\a\\ and potential type {{a)) by 

llrll = T X ((r)) ((N,.)) = {{a - r)) = {{a)) - ||r||. 

We denote the left- and right-projections on ||r|| by cost{-) and pot(-), respectively. Define 
taz/(||T||) = {{tail{T))). Extend the notions of predicative, impredicative, etc. from Definition [2] 
to time-complexity and potential types in the obvious way. We note that \\a\\ <: \\t\\ iff a <: r. 
We define ||c7|| oc ||r|| if o" oc r and {{a)) oc ((r)) if o" oc r. 

We will need to describe objects in the time-complexity types and introduce a small formalism 
to do so. We will only consider terms of cost, potential, and time-complexity type. We use a fresh 
set of variables that we call time- complexity variables and for each ATR oracle symbol a"" we have 
a time- complexity oracle symbol a"'^'!. Define a time- complexity context to be a finite map from t.c. 
variables to cost and potential types0 For a t.c. context S, a T,- environment is a finite map from 
Dom S to the interpretation of the time-complexity types that respects the type S assigns to each 
variable; we denote the set of E-environments by E-Env. We use the same extension notation for 
t.c. environments as for term environments. We extend || • || to ATR-type contexts by introducing 
t.c. variables Xc and Xp for each ATR-variable x and setting IjF; A|[ = ^(x:a)e{r;A){xc-'^ , Xp:{{a))}. A 
time- complexity denotation of t.c. type 7 w.r.t. a t.c. environment S is a function X : S-Env 7. 
The projections cost and pot extend to t.c. denotations as cost{X) = q ^ cost{XQ) and pot{X) = 
g pot{XQ). We now come to the main technical notion, that of bounding a term by a t.c. 
denontation. 
Definition 4. 

(1) Suppose tp is a closure and z6 a value, both of type r; x a time-complexity of type ||r||; and 
q a potential of type ((r)). Define the bounding relations tp C"^ x and zO Cp^t <? as follows^ 

(a) tp C'^ X if icost{x) ^'^d zO Cp^t pot{x) (recall that the subscript on J, indicates an 
upper bound on the cost of the evaluation derivation). 

(b) zO C^^t q if \z\ < q. 

(c) {\v.t)6 Ept^"^ q when for all values zrj and all potentials p, if zrj C^^^ p, then t9[v 1— > 
zrj\ C'^ q{p). 

(d) aO Ep^rt^ 1 when for all values zrj, if zrj C^^^ p, then (0(27/)) [] C"^ q{p)- 

(2) For p € (F; A)-Env and g E ||F; A||-Env, we write p ^ g \i for all v G Dom p we have that 
vp E {q{vc),q{vp))- 

(3) For an ATR-term F; A h t :r and a time-complexity denotation X of type ||r|| w.r.t. ||F; A||, 
we say t C X if for all p € (F; A)-Env and g € ||F; A||-Env such that p Q g we have that 
tp □ Xg. 



For obvious reasons, we shall start abbreviating "time-complexity" as "t.c." 
'^We will drop the superscript when it is clear from context. 
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S, a; : 7 h X : 7 



— (7 « 7 ) ^, . / (7 <: 7 ) 



S h p : 7' S h p : 7' 

Shpib Shg:b Shp:b Shg:b 



Shp»g:b ShpVQ'ib 
S,x:((a))hp:||T|| S h p : ((a ^ r)) S h g : ((a)) 



S h Ax.p : ((fj — > r)) S h : ||t|| 

Shp:T Shg:((T)) Shp:||r|| Shp:||r| 



S h (p, g) : ||r|| S h cost{p) : T S h pot{p) : ((r)) 

Figure 7. Typing rules for time-complexity polynomials. The type b is a t.c. base 
type, 7 and 7' are any t.c. or potential types, and a and r are any ATR-types. The 
operation • is + or * and in this rule b is either T or T^^ for some k. 

We define second-order polynomial expressions of cost, potential, and time-complexity types 
using the operations +, *, and V (plus, times, and binary maximum); the typing rules are given in 
Figure El Of course, a polynomial S h p : 7 corresponds to a t.c. denotation of type 7 w.r.t. S in 
the obvious way. We shall frequently write pp for pot{p). Our primary interest is in constructing 
a bounding t.c. polynomial ||r;A|| h p : ||r|| for each term F; A h t : t. Rather than writing 
p = • • • (xc, Xp) • ■ ■ each x € Dom (F U A), we shall just write p = ■ ■ ■ x ■ ■ ■ . 

Definition 5. Suppose S h p : 7 is a t.c. polynomial and s is a subterm occurrence of p. We 
say that s is shadowed if (1) s occurs in a context ts where the occurence of t has impredicative 
type a T with tailor) <: tail{a), or (2) the occurrence of s appears properly within another 
shadowed subterm occurrence. 

Definition 6. Let 7 be a potential type, b a time-complexity base type, p a potential polynomial, 
and suppose S h p : 7. 

(1) p is h-strict w.r.t. S when tail{'y) <: b and every unshadowed free-variable occurrence in p 
has a type with tail <: b. 

(2) p is b-chary w.r.t. S when 7 = b and p = pi V • • • V Pm with m > where pi = {vqi . . . q^) 
with V a variable or oracle symbol and each qj b-strict w.r.t. S. As special cases we get 
p = (m = 0) and p = v loi v a base- type potential variable (m = 1 and k = 0). 

(3) p is b-safe w.r.t. S if: 

(a) 7 is a base type and p = q Qb r where q is b-strict and r is b-chary, ©b = V if b is 
oracular, and ©b = + if b is computational. 

(b) 7 = (((T — i- r)) and pot{pv) is b-safe w.r.t. Tj,v : {{a)). 

(4) A t.c. polynomial S h g : ||r|[ is b-safe if pot{q) is. 

(5) A t.c. denotation X of type ||t|| w.r.t. S is b-safe if there is a b-safe t.c. polynomial S h p: ||r|| 
such that X < p0 X is safe if X is taiZ(||r|[)-safe. 



-'^-'^ Remember that this inequahty is with respect to the well-tempered semantics discussed at the beginning of this 
section. 
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For full details and basic properties of safety, see ATS Section 8. Here we just give a couple of 
example propositions to get a feel for how to manipulate safe polynomials. 

Proposition 1. If S,x : T \- p '.Tl is a T^-safe polynomial, then every occurrence of x in p is 
shadowed. 

Proof. Set b = T^. We have that p = q Qbr where q is b-strict and r is b-chary. Since q is b-strict 
and Tl <: T, any occurrence of x must be shadowed in q. The polynomial r cannot have the 
form • • • V X V ■ ■ ■ because this latter expression can only have type T. Thus any occurrence of x 
in r must occur in some b-strict polynomial, and the argument just given tells us that any such 
occurrence must be shadowed. □ 

Under the well-tempered semantics, shadowed subterms do not contribute to the value of a 
polynomial. Thus we can w.l.o.g. assume that any safe potential polynomial contains only variables 
of potential type by replacing every occurrence of every variable of type T with e. 

Proposition 2. If p and p' are h-safe potential polynomials, then there is a b-safe potential poly- 
nomial p* such that py p' < p* . 

Proof. If b is computational, then p = q + r and p' = q' + r' where q and q' are b-strict and r and 
r' are b-chary. Thus p + p' = {q + r)\/ {q' + r') < q + q' + {ry r') is b-safe. Similarly, if b is oracular, 
then p + p' = {qy r)y {qy r') = {qy q') V (r V r'). □ 

4.2. Soundness for non-recursive terms. The Soundness Theorem asserts that every term is 
bounded by a safe t.c. denotation; in particular, the potential component is bounded by a safe 
type-2 polynomial (we shall also be able to conclude that the cost component is bounded by a 
type-2 polynomial in the lengths of t's free variables). At base type, the statement about the 
potential corresponds to the "poly-max" bounds that can be computed for Bellantoni-Cook and 
Leivant-style tiered functions (e.g., 0, Lemma 4.1]). The bulk of the work is in handling crec terms. 
To ease the presentation, we first extract out the main claim for ATR~, the sub-system of ATR that 
does not include crec. Although we could prove a version of the Soundness Theorem directly for 
ATR~ by structural induction on terms, we state instead a slightly more general proposition from 
which the Soundness Theorem follows directly. The reason is that when analyzing crec terms we 
will frequently need to construct bounding t.c. denotations for terms t given assumptions about 
bounding t.c. denotations for the subterms of t. Thus we need to extract out what is really just 
the induction step of the proof of the ATR~ Soundness Theorem into its own lemma (Lemma [3]). 

Figure [8] gives a number of operations on time complexity denotations that correspond to 
the ATR~ term-forming operations other than application and abstraction. In that figure and 
the following, we use the notation Ax. • • • to denote the (semantic) map x ^ ■ ■ ■ . For application 
and abstraction, we make the following definitions: 
Definition 7. 

(1) For a potential p, if p is of base type, valp = (1 Vp,p); if p is of higher type, then 
valp = (l,p)J3 For a t.c. environment q and ATR variable v we write q[v x] for 
Q[vc,Vp ^ cost (x), pot (x)]. 

(2) If y is a t.c. denotation of type ||r|[ w.r.t. S, \\v : a\\, then 




is a t.c. denotation of type \\a — > t|| w.r.t. S. 



'Notice that val{p) is a time-complexity that bounds a value with potential p. 
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c: X ^ \q{1 + cost{Xg), 1 + pot{XQ)) 
d : X ^ \q[1 + cost{XQ), pot{Xg)) 
tst:X^ Ag{l + cost{Xg), l) 
cond : {X,Y,Z) A£»(l + cost{X0) + {cost{Yg) V cost{Zg)), 

pot{Yg)\J pot{Zg)) 
down : {X,Y) ^ Xg{l + cost{Xg) + cost{Yg) +2pot(Yg), pot{Y g)) 

Figure 8. Operations on time-complexity denotations of base type. 

(3) If X and Y are t.c. denotations of type \\a t\\ and |[t|| w.r.t. S, then 
X -kY =df \g(yCost{Xg) + cost{Y g) + cost{x) + 1, pot{x)) 

is a t.c. denotation of type ||r|| w.r.t. S, where x = pot{X g){pot{Y g)) . For Y = Yi, . . . ,yj. 
we write X * f for X * Yi * • • • ★ = ((X * Yi) * . . . ) * y^. 

The key lemma is the following; the apparent complexity is solely due to our embedding of what 
would normally be an induction hypothesis into the statement of the lemma itself. 
Lemma 3. 

(1) Suppose F; A h r : b, P; A h s : b', P; A h t : b' and that X, Y, and Z are t.c. denotations 
of types ||b||, ||b'||, and \\W\\ w.r.t. ||P; A|| respectively such that r Q X , s QY , and t Q Z. 
Then: 

(a) CaT Q c X , dr Q d X , and t^ r C tst X. 

(b) if r then s else t □ cond{X,Y,Z). 

(c) downrs !^ down{X,Y). 

(2) IfT,v:a;A\-t:T,Xa t.c. denotation of type \\t\\ w.r.t. \\T,v : cr; A||, and t Q X then 
Xv.t □ A^v.X. 

(3) If P; Aq \- s : a ^ t, P; Ai \- t : a, Aq and Ai satisfy the side-conditions of — >--E, X and Y 
are t.c. denotations of type ||fT— >r|| and \\a\\ w.r.t. ||P;Ao|| and ||F;Ai|| respectively, and 
sQX and t C Y, then stQX -kY. 

Proof. Part [T] is a direct unwinding of the definitions and Parts [2] and [3] take a little more work. 
The details are essentially identical to those of the corresponding induction steps of the proof of 
Lemma 70(b) in ATS. □ 

Proposition 4. If X, Y, and Z are safe t.c. denotations of appropriate types, then c{X), d{X), 
tst{X), cond{X,Y, Z), down{X,Y), A^v.X, and X -kY are safe t.c. denotations. 

Proof sketch. This is again an unwinding of definitions; we present the X -kY case as an example. 
Suppose X and Y are t.c. denotations of type \\a t\\ and \\a\\ respectively w.r.t. T,, X < {Px,px) 
and y < (Py ,py), where tail r = b and px ■ {{(^^t)) = {{^)) ^ Ikll is b-safe. By definition pot{pxv) 
is b-safe w.r.t. S,f : ((o")) where v is a fresh variable. By Lemma 32 of ATS (Substitution of safe 
polynomials), pot{pxPY) ^ P for some b-safe polynomial p. Since pot[X -kY) < pot{pxPY) we 
conclude that X ★ y is b-safeEl □ 



This and other similar computations of the fuU proof rely on simple properties of the well-tempered semantics 
of ATS to which we alluded earlier. 
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Theorem 5. For every ATR term F; A h t :r there is a tail {\\t\\) -safe t.c. denotation X of type \\t\\ 
w.r.t. \\T; A|| such that t Q X . 

Proof. The proof is by induction on the typing inference. The cases of the induction step cor- 
responding to the syntax-directed rules are given by Lemma [3] and if the last line of the typing 
inference is either (Shift) or (Subsumption), then the corresponding typing rule for t.c. polynomials 
applies. So we are just left with establishing the base cases. The constants are easy and x C {xc, Xp) 
by definition p Q g. That leaves us with oracles. We can give an explicit definition of a safe 
t.c. denotation ||a|| such that a Q \\a\\ in terms of the length of a. However, defining the length 
of a entails defining the length-types, which would take us somewhat far afield. We delay these 
definitions until Section [U when we show how to extract second-order polynomial bounds on the 
cost of evaluating ATR programs. □ 

Definition 8. For an ATR~ term F; A h t : r we define the time- complexity interpretation of t, 
\\t\\, to be the t.c. denotation X of Theorem [50 

Corollary 6 (Soundness for ATR^). For every ATR~ term F; A h t : r, ||t|| is tail{\\T\\)-safe w.r.t. 
||F; A|| and t C 

5. Soundness for ATR 

Our goal in this section is to extend the Soundness argument for ATR~ to handle crec terms, 
thereby proving Soundness for ATR. First we define plain affine recursion in Section 15.11 which 
captures (up to r/-equivalence) how a recursively-defined function can occur in its definition. In Sec- 
tion l5.2l we prove the Decomposition Lemma (Theorem [11]), which characterizes the t.c. denotations 
that bound plain affine recursive definitions. Specifically, we give an algebraic characterization in 
which the cost of the application of the affine variable occurs as a linear term with coefficient 1 
(hence our terminology) . In Section 15.3.11 we use the Decomposition Lemma to prove the Unfold- 
ing Lemma (Theorem 1121 and Corollary USD , which gives polynomial bounds on recursively-defined 
functions in terms of their recursion depth (Definition [12]) . We also prove the Termination Lemma 
(Theorem I15p which gives polynomial bounds on the recursion depth. This provides the last step 
needed to prove Soundness for ATR (Theorem 1161 and Corollary II 7p . 

5.1. Plain afRne recursion. As already noted, our list-operation and sorting programs use several 
forms of recursion that go beyond tail recursion. However, they all boil down to (essentially) filling in 
the argument positions of the recursively-defined function, then using the result in basic operations 
or as an argument to an application. In fact, they are all instances of the scheme of plain affine 
recursion: 

Definition 9. Suppose that F; / : bi — • • • ^ — s- bo l~ t : b. t is a plain affine recursive definition 
of f, or / is in plain affine position in t, if: 

(1) / ^ fv(t); or 

(2) t = fti . . . tfc where / ^ fv(tj) for any i (we call this a complete application of /); or 

(3) t = if s then sq sise si where / ^ fv(s) and each Si is a plain affine recursive definition of /; 
or 

(4) t = ops where op is any of Ca, d, or t^ and s is a plain affine recursive definition of /; or 

(5) t = down sqSi where sq is a plain affine recursive definition of / and / ^ fv(si); or 

(6) t = sti . . .tm where / ^ fv(s) and there is i such that ti is a plain affine recursive definition 
of / and / ^ fv(tj) for j ^ i; or 



'Formally, of course, we should write HF; Ah t : r||, but the typing should always be clear from context. 
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(7) t = (Axi . . . Xm-s)ti . . .tm where s is a plain affine recursive definition of / and / ^ fv(tj) 
for any i (we call this a let-binding) . 

Whereas in ATS we enforced a side condition on (crec-I) that the recursively-defined function 
be in tail position, it would be much nicer to be able to say that if F; / : 7 h t : b, then / occurs in 
plain affine position in t. As stated, this does not quite hold. An exception is {Xx.f s)tit2, which is 
typeable with / : bi ^ 62 ^ b from appropriate typings of s, ti, and t2] but / is not in plain affine 
position in this expression. A trivial syntactic change "fixes" this expression without changing the 
meaning: simply replace Xx.fs with Xxy.fsy where y is a fresh variable. In fact, it is not hard to 
show that this exception illustrates essentially the only way in which / can occur affinely in a term 
without being in plain affine position. 

More precisely, we define a recursive operation on base-type terms t as follows. If t = Cq s 
then = Cqs^, and the operation "pushes through" ci, d, tf,, if, and down similarly. Assume we 
have a term t such that F; / : 7 h t : b where 7 = bi ^ • • • — > bfc — > bo. Consider any base-type 
subterm of the form ssi . . . Sm that is not an immediate subterm of an application and for which 
s is not an application. If / G fv(sj) then necessarily Si is of base type, so ssi . . . Si_is|si+i . . . Sm 
is a plain affine definition of /. If / G fv(s), then / ^ fv(sj) for any i and s cannot be a crec- 
term, so s has the form (Axi . . .Xi.s') for some i where s' is not an abstraction. Replace s with 
(Axi . . . Xm-{sxij^i . . . ; note that we have "filled out" the arguments of s so that sxj+i . . . x^ 
is of base type. Of course, a formal definition would impose an appropriate measure on terms and 
define recursively in terms of that measure; we leave the details to the interested reader. The 
relevant properties are as follows, all of which are easily verified by unwinding the definitions: 

Proposition 7. Suppose that F; / : 7 h t : b. Then: 

(1) F;/:7htt:b. 

(2) / is in plain affine recursive position in t^ . 

(3) For any environment p, tp | z9 iff t'^ p [ z6. 

(4) If tt □ X then t □ X. 

In particular, we can w.l.o.g. assume that the body of every crec expression is a plain afhne recursive 
definition. 

The next proposition shows that typing derivations of plain affine recursive definitions can placed 
in a normal form. We will use this normal form in our proof of the Decomposition Lemma (Theo- 
rem [11]), which characterizes the t.c. denotations that bound plain affine recursive definitions. We 
call the premis of — >-E that types the operator the major premis of the rule. 

Proposition 8. Suppose T> is a derivation of F; A, / : 7 h t : b where t is a plain affine definition 
off,f(£ fv(t), and 7 = (61, ... , b^) ^ bo. Then: 

(1) No (Subsumption) inference is the last line of the major premis of an (^-E) inference in 
which f occurs free. 

(2) No (Subsumption) inference immediately follows an (^-I) inference in which f occurs free. 

Proof. The proof is by induction on the shape of t and we consider the possible typings of each shape 
in turn. The cases in which the induction hypothesis does not immediately apply are t = fti . . .tk 
and t = (Axi . . . Xm-s)ti . . . tm- 
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Suppose t = fti . . .tk', for concreteness we take k = 2 and we write S for F; A, / : 7. Then V has 
the following general formic 



bubsumption 



S h /ti : b^ ^ b' 

Subsumption 



S h /ti : b^' ^ b^' r;_ht2:b^' 
S h fht2 : b[,' 

Since b'^^ <: bi, b2 <: b2 <: b2, and bp <: bg <: Wq, we can rewrite this derivation as 

r;_h ti : b; 

VI f.^, Subsumption— — , 
L h / : 7 T; _ h ti : bi i , _ h t2 • bj 

bubsumption ■ 



S h /ti : b2 ^ bo r;_ht2:b2 

S h fht2 : bo 
S h ftit2 : K 

li t = {Xxi . . . Xm-s)t then first apply the induction hypothesis to the typing of s. Any 
(Subsumption) inferences that follow one of the (^-I) inferences can be moved to the end of 
all those inferences. Thus as in the previous case, we can move any (Subsumption) inferences that 
occur as the last line of a major premis in one of the (— >-E) inferences {Xx.s)ti . . .ti to the minor 
premis, concluding with a possible last (Subsumption) inference. □ 

The let-binding clause of plain affine recursion leads us to consider t.c. denotations of the form 
{Ai,x.X) -k Y, so we characterize them here. First we define a function on t.c. denotations that 
allows us to neatly express the "overhead cost" of combining t.c. denotations: 

Definition 10. For any t.c. denotation X, 

daUy{m, X) =df \g[m+ cost{Xg), pot{Xg)y 

Proposition 9. If X is a safe t.c. denotation, then so is daUy{m, X). 

Proposition 10. Let X be a t.c. denotation w.r.t. S, \\xi : cji, . . . ,Xm '■ fmll and Yi, . . . ,Ym be 
t.c. denotations w.r.t. S. Then 

m 

{Xi,x.X) -kY = Xq. dally (2m + ^'^^ cost (YiQ), Xg[xi 1— > val{pot{Yig))]) . 

Proof. The proof is by induction on m; the base case is immediate. For the induction step we 
apply the induction hypothesis and unwind definitions. In the following calculation we write Yicg 



^^It is here that we use the restriction that (Shift) cannot be apphed if the affine zone is non-empty; without this 
restriction, we could have a sequence of (Shift) and (Subsumption) inferences interleaved with the (^-E) inferences, 
and this proof would not carry through. 
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for cost{Yi,Q), Qm for g[xi ^ val{pot{Yig))] where i = 1, . . . ,m, and similarly for Qm+i- 

yA^Xi . . . a^m+l- 

X)'kYi'k ■ ■ --k Ym+l 
m 

= [Xq. dally {2m + YicQ, i^* 

1=1 
m 

= (^Aq. dally (^2m + YicQ, 
1=1 

{Aq{1, AXm+l,p.XQ'[Xm+l ^ Val{Xra+l,p)])) Qrn^^ * ^m+1 
m 

= Aq.{1 + 2m + '^YicQ + 1 + Ym+l,cQ+ COSt{XQm+l), pot{XQrn+l)) 
1=1 

m+1 

= Xq. dally [2{m + 1) + ^ YicQ, XQra+i)- 

i=l 

□ 

5.2. Bounds for recursive definitions: the Decomposition Lemma. We now state and 
prove the Decomposition Lemma. Throughout this section and the next we will need to assume 
that induction hypothesis of the Soundness Theorem holds, because the Decomposition Lemma 
will be used in its induction step. So to shorten the statements of the coming claims, we name the 
induction hypothesis: 

Inductive Soundness Assumption (ISA): A term F; /:7 h t : b (where 7 = (bi, . . . , b^) — >^ 
bo) satisfies the inductive Soundness assumption if t is a plain affine recursive definition of / 
and whenever r';_ h s : r is a subterm of t, there is a taz/(|[T||)-safe t.c. polynomial {Ps,Ps) 
w.r.t. ||r'|| such that s C {Ps,Ps)- 
For the statement of the Decomposition Lemma, recall our convention that in writing a t.c. 
polynomial p w.r.t. ||F; A||, if x G Dom (FuA) we write p(. . . ,x, . . .) to abbreviate p(. . . ,Xc,Xp, . . .). 

Theorem 11 (Decomposition Lemma). SupposeT; f ■.'j \- t:b satisfies the ISA and thatDomT = y. 
Then 

t E {P{y,pot{f kp)) + cost{f-kp), p{y,pot{f -kp))) 

where P{y, w^^'^"^^) : T is a cost polynomial, p{y, w^^'^"^^) : ((b)) is a ((b))-safe potential polynomial, and 
p = pi, . . . ,pk where for each i, pi = Pi{y) : |[bj|[ is a taz/(||bj||)-safe t.c. polvnomialri If f ^ fv(t), 
read f -kp as (0,0). 

Proof. The proof is by induction on the typing of t. For clarity we drop mention of the parameters y 
everywhere. If / ^ fv(t), then the claim follows from the ISA. Also notice that if the last line of 
the typing of t is (Subsumption) then the claim follows immediately from the induction hypothesis, 
because if b' <: b, then any ((b'))-safe polynomial is ((b))-safe. The last line cannot be (Shift) 
because this rule cannot be applied to a judgment with non-empty affine zone. 

If the last line of the typing is (op-I), (if-I), or (down-I) then the claim follows from the induction 
hypothesis by using the appropriate operation from Figure [8j we present the (if-I) case as an 
example. Suppose the last line of the typing is (if-I), so that t = \f s then to ^Ise ti. By the ISA 



Recall from Proposition [T] that since p is a potential polynomial, we can in fact assume that p{y, w) = 
p{. . .,yip, ...,w). 
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we have that s Q {Ps,Ps), and by the induction hypothesis that tj Q {P^{pot[f -k p'^)) + cost{f * 
p*), p^{pot{f for appropriate polynomials P*, p^, and p'^ = p\, . . . ,pl.. By Lemma [3] we have 

that 

t Q (l + Ps+{{P\pot{f*p^)) + cost{f*p^)) V {P\pot{f*p^)) + cost{f*p^))), 

p\pot{fkp^))yp\pot{fkp'^))) 

< [l + Ps + P{pot{fkp)) + cost{f^p), p{pot{f*p))) 

where P = P^ V P^, p is a safe t.c. polynomial greater than p^ Vp^, and pi is a safe t.c. polynomial 
greater than V pj (see Proposition [2|) . 

The only other possibility is that the last line is (— >-E), and for that we break into cases depending 
on the exact form of t. 

Case 1: t = fti . . .tk- By Proposition [8] we can assume that we have typings r;_ h : bj. Since 
/ ^ fv(tj) we have ||bj||-safe t.c. polynomials pi such that ti C pi and it follows from Lemma [3] that 
t E = {cost{f-kp), pot{f-kp)). 

Case 2: t = sti . . .tm where w.l.o.g. tm is a plain affine definition of / and / € iv{tm)- We can 
assume that P; _ h sii . . . tm-i : b' — > b and P; / : 7 h : b' for some b'. Since / ^ fv(sti . . . tm-i) 
the ISA tells us that sti . . .tm-i Q {Ps,Ps) '■ ||b'— >b|| where {Ps,Ps) is ((b))-safe. The induction 
hypothesis tells us that tm Q {P{pot{f -^p)) + cost{f-kp), p{pot{f -kp))) so by Lemma[3]we conclude 
that 

t E {l + Ps + P{pot{f*p)) + cost{f*p) + cost{ps{p{pot{fkp)))), pot{p,{p{pot{f^p)))))- 

Since Ps : ((b^ ^ ||b|l is ((b))-safe and p{w^^'°'''^^) : ((b')) is ((b'))-safe, we have that Ps{p{pot{f kp))) : \\b\\ 
is ((b))-safe|^ and hence that pot{ps{p{pot{f -k p)))) is ((b))-safe, completing the proof for this case. 

Case 3: t = (Axi . . . Xm-s)ti . . .tm where s is a plain affine definition of /. By Proposition [8] we 
may assume that we have typings P, x : a; / : 7 h s : b and P;_ h tj : cjj. The induction hypothesis 
tells us that s C {Ps{x, pot{f-kp)) + cost{f-kp), ps{x, pot{f -kp))) where pi = Pi{x) and the ISA tells 
us that ti C {P^,p^). Using Lemma [3] and Proposition [10] we conclude that 

m 

t C (im + '^P' + Ps{val{p^),...,val{p"'),pot{fkp')) + cost{f -kp'), 
1=1 

Ps{p\...,p"',pot{f-kp'))^ 

where p'^ = pi{val{p^), . . . , val{p"^)). Since each : ((fij)) is tail{{{ai)))-safe, p\ is ((bj))-safe, and 
substuting safe polynomials into safe polynomials yields a t.c. denotation that is bounded by a safe 
polynomial i^ATS Lemma 32), the claim is established. □ 

5.3. Polynomial bounds for recursive terms. 

5.3.1. Bounds in terms of recursion depth: the Unfolding Lemma. From the Decomposition Lemma 
we know that if P, u : b; / : 7 h i : b satisfies the ISA, then 

tQ {P{v,pot{f*p)) + cost{f*p), qQb{rW potifkp))) 

ctually, bounded by a {(b))-safe polynomial; from now on we shall assume that the reader can insert the 
"bounded by" qualification as needed. 
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where q = q{v) is ((b))-strict and r = r{v) is ((b))-chary (we have supressed mention of the variables 
other than v and /). Let Xf denote this t.c. denotation. Also define the (syntactic) substitution 
function 

= [cost{val{pip)),pot{val{pip))/vic,Vip] 

and set = id and = ^" o (we write the syntactic substitution of the polynomial p for 
the variable x in the t.c. denotation X by X[p/x]). The point behind these functions is that if 
p{vi, . . . , Vk) is a polynomial, then 

k 

{X^vi . . . Vk-p) *pi *Pk = dally (^2k + '^Pic, p(,t^ 

1=1 

by Proposition [10] and expressions of this form arise frequently in our analysis. 

To analyze the of closures of the form tp[f i— > {crec{0^){Xrf.\v.t))p] where t is a plain affine 
recursive definition of /, we will actually need to analyze subterms of t under extensions of the en- 
vironment indicated here. To that end, we make some definitions in order to simplify the statements 
of the coming claims. 

Definition 11. Suppose F, : bi, . . . , ffc : b^; / : 7 h t : b satisfies the ISA. Define 

(1) r^; = r,?;i : bi, . . . : b^; 

(2) Ct,e =dfCrec{0'){Xr f.Xv.t); 

(3) Tt/ =df AiT.if |0^| < \vi \ then t else e; 

(4) For p e F^Env, pt^i =df p[f ^ Cup]- 

Notice that Ct/p I T^^ipt^i^i is an axiom of the evaluation relation. We write tpi for tpf i. 

Definition 12. Suppose F^;; / : 7 h t : b satisfies the ISA, F*; / : 7 h t* : b* is a subterm of t, 
p € F^Env, and p* G F*-Env is an extension of p. The recursion- depth of t*p^^, icdp{t*plg) is 
defined to be the number of crec axioms Ct^mP i Tt^mPt,m+i in the evaluation derivation of t* pi ^ 
when t* p1 ^ [ z6 for some z6, and rdp(i*pj'^) = 00 otherwise. 

The Unfolding Lemma establishes bounds on evaluating closures in terms of recursion depth. 
The proof is a nested induction: first on the recursion depth, and then on the shape of the plain 
affine definition. Because of the many cases its length may hide the simplicity of what is going 
on, so we make that explicit here: a careful calculation of the cost of one recursive call in the 
evaluation. 

Theorem 12 (Unfolding Lemma). Suppose F^; / : 7 h t : b satisfies the ISA. Let S, = be given as 
above. Suppose p £ F^-Env, g € ||F^||-Env, p Q g, and that vdp{tpg) = d < 00. Then: 

(1) If b is computational, 

k 

tpi Q (d(10 + 3pip) + {d + l){2k + ^Pic + P{dq + r)), {d + l)q + r)i'^g. 

i=l 

(2) Ifbis oracular, 

k 

tpi E (410 + 3pip) + (d + 1)(2A; + Y,Pic + P{q V r)), q V r)^^^. 

1=1 

Proof. The proof is by induction on d. For the base case {d = 0) we prove the following claim: 
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Suppose ri; / : 7 h t* : b* is a subterm of t and take X* so that t* C X* by the 
Decomposition Lemma. Suppose p* € r*.-Env is an extension of p, g* € ||rt.|[-Env 
is an extension of g, and p* C g*. If Tdp{t*p^^) = then t*p^f, C X*[£//]£>* where 

First let us see that this claim yields the desired bound when d = 0. It tells us that tpg C Xt\^/f]g. 
Thus if b is computational 

tpe^{P{pot{f*p)) + cost{f*p), q+{ry pot{f^p)))[e/f\g 
= (P(0) + {2k + Y^ p,c) ,q+{rVO))g 

< {2k + Y,Pic + Pir), q + r)£.%- 

The calculation is similar when b is oracular. 

We prove the claim by induction on the shape of t* (a plain afHne definition of / that satisfies 
the ISA). For each case of the induction, we import the notation from the corresponding case in 
the proof of the Decomposition Lemma. We give the details for a few cases, leaving the rest to the 
reader. The case in which t* = ft\ ... is not possible, because necessarily rdp((/ti . . . tk)p1i) > 0. 

Case 1: = if s then Iq else t\. Consider the subcase in which sp^^ | eO (the other subcase is 
analogous). An analysis of the evaluation of i*Pt ^ yields 

cos\.{t*pl() = 1 + cost(spt*^) + cost (toft* £) 
<l + PsQ* + cost{Xt,[e/f]g*) 

(by applying the ISA to s and secondary induction hypothesis to to) 

<{l + Ps + {cost{Xt,\e/ f]) V cost{Xt,\e/f])))g* 
= cost{X*\e/f\g*). 

Furthermore, if t*/9*£ j z9 then to/^j ^ i z6, so again by the secondary induction hypothesis we have 
that 

ze Cpot pot{Xt,\e/ f\)g* < potiXt,[£/f]\/Xt,\e/f])g* = pot{X*\e/ f]g*). 
The two facts together tell us that E X*\£/ f]g*. 

Case 2: t* = sti . .. tm where w.l.o.g. tm is a plain afHne definition of / and / G fv{tm)- By the 
secondary induction hypothesis we may assume that t„ip^^ C Xt^ [£//]£'* and following the notation 
of the Decomposition Lemma sti . . . tm-i E iPs,Ps)- Suppose (sti . . . tm-i)Pf£ i {Xx.s')9' (the case 
of evaluating to an oracle is similar), tmPt£ i z"6", and s'9'[x i— >■ z"9"] j z6 (these evaluations 
are all defined because they are subevaluations of that of t*pl^. By definition of C we have that 
s'6'[x z"6"] C Ps{pot{Xt^\e/ J]g*)). An analysis of the evaluation of t*/9^£ yields 

COSt(t*/9^ () = 1 + COSt((sti . . . tm-l)pt e) + COSt{tjnPt () + COS\,{s'd'[x z" d"\) 

<\ + Ps + cost{Xt^ [£//]) + cost{psipot{Xt^ [e/f]Q*))) 
= cost{X*[e/f]g*). 
And if t*p^£ i z9 then s'9'[x z"9"] | z9 so we conclude that 

z9 Cpot pot{ps{pot{XtJe/f]g*))) = potiX*[e/ f]g*). 
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Case 3: t* = {Xxi . . .Xm-s)t where s is a plain afHne definition of /. Say that Up^^ [ z'-9'- and 
sp^^[xi I— z'^O'^] [ z9 (the evaluations of the subterms and body are all defined because they are sub- 
evaluations of t*p* Following the notation of the Decomposition Lemma we have ti [I so 
z'iO'i Epot P^- By the secondary induction hypothesis we have that sp^^[xi z'^d'^] C Xs\£_/ f]Q*[xi i— > 
valip^Q*)]. An analysis of the evaluation derivation of t*plf^ yields 

cost{t* pIc) = 2m + ^cosi{tipl() + cos\.{spl([xi ^ z[e[]) 

< 2m + ^ P'q* + cost{Xs\e/ f]Q*[xi ^ valip^Q*)]) 

(cost(tiPj^) = cost(ii/9*) because / ^ fv(tj)) 

= (2m + ^ + . . , val{p'), . . .,pot{f *p'))+ 

cost{f*P))\e/f]Q* 
= cost{X*[e/f]Q*) 
where Pj = pj{. . . , val{p^), . . . ) and 

z9 Cpot pot{Xs\e/f]Q*[xi ^ val{p'Q*)]) 
= Ps{x,pot{f -k p))\e/ f\Q*[xi ^ val{p'Q*)] 

= Ps{...,p\...,pot{f*p'))\e/f]Q* 
= pot{X*[e/f]g*). 

Thus t*p^f C X*[e/f]Q*. This completes the proof of the Unfolding Lemma. 

For the induction step, suppose that rdp(tpt/) = d + 1. We show just the case when b is 
computational; the oracular case is similar. Set 

Y = (d(10 + 3pip) + id+ l)(2fc + ^Pic + P{dq + r)), (d + l)q + r)i^ 

We will prove the following claim: 

Suppose t*, X* , p* , and q* are as in the claim for the base case d = and suppose 
X* = {P*{pot{f ★ p*)) + cost{f ★ p*), p*{pot{f -kp*))). If rdp(t*/9*^) = d+l then 
t*pl^ C dally{lQ + 3Kp, X*[\^v.Y/ f])Q* . 

Again we first show that this claim is sufficient for establishing desired bound for the induction 

step. From it we calculate 

tpt,i C dally [IQ + 3pip, Xt[X^v.Y/f])Q 

= (10 + 3pip + P{pot{f^p)) + costif^p), q+irV pot{f*p))) [X,v.Y/f]g 

< (10 + 3pip + P{pot{YO) + {2k + ^p^c + cost{Y^)),q + (r V pot{YO))Q 

< (lO + 3pip + P{{{d + l)q + r)^'^+i) + 2k + J2Pic+ 
{d{10 + 3pip) + {d+ l){2k + J^Pic + P{dq + r)))C'^+\ 

g + (rV((d + l)g + r)C'^+^))^ 

< ((d + 1)(10 + Spip) + id+ 2)(2k + ^pic + P((d + l)q + r-))(d + 2)q + r)C'^+i^ 
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using the fact that everything in sight is monotone and non-decreasing. 

Estabhshing the claim is very similar to the d = claim; we present just one key case here. 
Suppose that t* = fti . . .t}^ and t-ip* ^ [ Zi9i. Also take p* so that tj C p* so that X* = f-kp*. Then 
analysing the evaluation derivation we have that 

cost(tV*^) = {2 + k + YjPice* + (8 + Mp)Q* + cost{tpt^e+i[vi ^ Zi0i]) 

(the 8+3pip term is from the clock test when evaluating Tfjptj+i [vi ^ Zi9i\). Since rdp(t*/3j'^) = d+ 
1 and the evaluation of ^ Zi9j\ is a subevaluation wc have that rdp(tp4^£_|_i [wj i-^ Zi9i\) = d 

and so the main induction hypothesis applies to let us conclude that tpt/-(-i[vi ^ ZiOi] C YQ[vi 
val{p*pQ*)]. Thus 

cost(tV*^) <{2 + k + J2p*ic + i^ + ^P*ip) + cost{YQ[vi ^ val{p*pQ*]))g* 

= (10 + 3plp + cost{{{A^v.Y) i<p*)g*) 

= (10 + 3plp + cost{fkp*))[\^v.Y/f]Q*. 

Furthermore, if t*p*i i z9 then tpt^(,^i[vi ^ ZiOi] J, z9 and so 

zO Cpot pot{Yg[vi ^ val{p*pg*]) = pot{{Kv.Y) * p*)q* = pot{{f * p*)[k^v .Y / f]) q* . 

We conclude that t*/9*^ □ daUy{W + 3p|p, X*[A^t;.y//])£>*. □ 

Corollary 13 (Polynomial Unfolding Lemma). Suppose T^;/ : 7 h i : b satisfies the ISA, p G 
r^-Env, Q G ||rj;||-Env, p ^ g. Then there is a ((b))-safe time-complexity polynomial (p(y,d^^^'^'>^) 
such that for all £ such that rdp(tp^) < co, tp^ C (^(v, rdp(tp^)). 

Proof. Using the Unfolding Lemma, it suffices to show that the map VipS^f is a safe polynomial 
w.r.t. Vip : {{bi)),d : ((bi)). This is precisely the content of the One-step and ra-step Lemmas of ATS 
(Lemmas 44 and 45). □ 

5.3.2. Bounds on recursion depth: the Termination Lemma. Next we prove the Termination 
Lemma, which establishes a polynomial bound on rdp(ip^); this will allow us to apply the Un- 
folding Lemma. Since we cannot a priori assume that we have an evaluation of tpi, we need a 
formalism that allows us to refer to "non-terminating evaluations." We sketch the idea here. Intro- 
duce a new value ?[]. Define the truncated evaluation relation sp \ z9 just like the usual evaluation 
relation |, but with an additional axiom: 

{crec{0')i\rf.Xv.t))p\7[] 

Furthermore, for each inference rule of | we add additional rules that say that if one of the hypothe- 
ses evaluates to ?[], then the remaining hypotheses (to the right) are ignored and the conclusion 
evaluates to ?[]. For example, we have the additional inferences 

rp\?[] rp\iXx.r')9' spj?[] 

{rs)p\7[] {rs)pm] 

We will use these truncated evaluations to establish a bound on the recursion depth of ordinary 
evaluations. The idea is to establish a uniform bound on the size of any "clock test" in any truncated 
evaluation of tp£. Once wc do that, we can consider a truncated evaluation with recursion depth 
greater than this bound. In such a evaluation, either the recursion terminates normally or the clock 
test will fail before any truncation axiom can be evaluated. Either way, there are no truncation 
axioms, so in fact we have an ordinary evaluation with the given bound on its recursion depth. 
Thus we will be able to apply the Unfolding Lemma. 
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First we make an observation about evaluating crec terms. The case of interest is a closure 
of the form {crec{0^){Xrf.Xv.t)ti . . .tk)p of base type. The first (lowest) evaluation of t evaluates 
the closure tpi-^-l[vi ze^iOi^i] where Up | ze^iOe^i. Furthermore, if m > £ then the evaluation of 
tpt,m+i [vi Zm,iOm,i] has the form 

"m + 1 < tpt,m+2[vi l-> Zm+l,iOm+l,i] J z6 

Tm+lPt,m+2[Vi ^ Zm+l,idm+l,i] J z6 
{fsi . . . Sk)pt,m+l[Vi ^ Zm,iOm,i][y ^ z'9'] J zO 

tpt,m+l[vi Zm,iOm,i] J zO 

where: 

• The y's are the let-bound variables in t; 

• fs is one of the complete applications of / in t; 

• SiPm+i[vi ^ Zm,i9m,i][y ^ ^' i ^m+i,j^m+i,i (/ ^ fv(sj), SO the evaluation of Si cannot 
involve a truncation axiom); 

• We assume that the evaluation of fs hidden by the ■ • • does not use a truncation axiom to 
evaluate the crec term to which / evaluates. 

This description of the evaluation is easy to prove by induction on the shape of t. What we must 
do to prove the Termination Lemma is to get a handle on the sizes of the values Zm.i for m > 

Lemma 14. Suppose that F^;/ : 7 h t : b satisfies the ISA, p G F^z-Env, g G ||F^||-Env, p[vi 1— 
ze,i0e,i] E 0- Consider any truncated evaluation of tpt/+i [vi 1— > z^,j6'^,j] . Referring to the notation 
just introduced, for any m > £, \zm,i\ < VipCT~^&- 

Proof sketch. The proof is by induction on m — ^ with the base case given by assumption. For the 
induction step, we first bound Here we need another claim about subterms of t as in the 

proof of the Unfolding Lemma: 

Suppose that Ft; / : 7 h t* : b* is a subterm of t and take X* = {P{pot{f -k p*)) + 
cost(/*p*), p*{pot{f -k p*))) by the Decomposition Lemma so that t* Q X* . Sup- 
pose p* G Ft-Env is an extension of p, g* € ||Ft||-Env is an extension of g, and 
p*[vi 1-^ zi^iOi^i] C g*. Then using notation analogous to that just introduced, in the 
evaluation of tV^^^+i, \ze+i4 < PtpQ*- 
The proof of the claim is by induction on the shape of t* and is by now routine. Applying the claim 
to t we conclude that < Pipg and so p[vi 1— > zi+i^iOi+i^i] Q g[vi 1-^ val{pipg)]. So for m > 1 

the induction hypothesis tells us that \zm.,i\ < Vip^,^ Q[vi ^—^ val{pipg)] = Vip^]^~^g. □ 

Theorem 15 (Termination Lemma). Under the assumptions of Lemma [I4l idp{tp£^i[vi 1— > 
Zi,iOe^i]) < {2+pip)g. 

Proof. A key component of the One-step and n-step Lemmas of ATS (Lemmas 44 and 45) is that 
we can take pip such that pipS,t = Pip (this makes critical use of the restriction that if bj <: bi then 
hi is oracular). Hence vip^fg = pipg for any d > 2. 

Suppose we choose d > 2 such that £ + d — 1 > pipg. Consider any truncated evaluation of 
tpt/+i[vi I— > Z£^i6£^i] of recursion depth d. Such an evaluation recursively evaluates tpt^m+i[vi ^ Om,i\ 
ior m = £,...,£ + d — 1. By Lemma [14] we have that \z£j^(i~i,i \ < vip^f~^ g = Pip^f~'^g = Pipg < £ + 
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d—1. Thus either the evaluation terminates normally (i.e., the evaluation of tpt^m+i[vi i— > Zm,i0m,i] 
does not recursively evaluate / at all for some i<m<£ + d— 1) or one of the clock tests fails, 
thereby terminating the evaluation. Either way we have a standard evaluation of tpt/+i [vi ^ z^^iOi^i] 
of recursion depth < d. Taking d = (2 + pip)Q yields the theorem. □ 

5.3.3. The Soundness Theorem. 

Theorem 16. For every ATR term F; A h t :r there is a tail {\\t\\) -safe t.c. denotation X of type \\t\\ 
w.r.t. \\T] A|| such that t Q X. 

Proof. The proof is by induction on terms; for non-crec terms use Lemma [3l Let s be the term 
r;_ h crec(0^)(A.r/.Aw.t) : b ^ b. Suppose p G F-Env, g G ||r||-Env, p Q g. Since sp | {Xv.Ti)pt/+i 
in one step, if (\iJ.T£)pt^i^i Q x then sp Q daUy{l,x), so we focus on characterizing such time- 
complexities X- Unwinding the definition of 1^, we have have {XiJ.Ti)pt i^i C x if whenever ZiOi Epot 
Pi {pi is an arbitrary potential here, not necessarily a polynomial), we have that: 

(1) 1 < cost (x), cost (poi(x)pi), . . . , cost{pot{. . . pot{pot{x)pi)p2 ■ ■ ■ )Pk^i)- 

(2) TgPt,e+i[vi ^ Zi6i\ C pot{. . . pot{pot{x)pi)p2 ■ ■ ■ )Pk- 

Since ZiOi Qpot Pi we have that p[vi i— > ZiOi] C g[vi i— val{p-i}]. Let p' and g' denote these extended 
environments. By the Termination Lemma (Theorem llSp we have that rdp{tp^ ^_^_^) < (2 + pip)g, 
where pip is the ((bi))-safe polynomial given by the Decomposition Lemma (Theorem II ip for t. By 
the Polynomial Unfolding Lemma (Corollary [13]) there is a b-safe polynomial (f{ij,d^^^^'^'^) such that 

tpt^e+i Q ^{v,Pip + 2)£»' = pot{. . .pot{pot{{X^v.ip{v,pip + 2))g)pi)p2 ■ ■ ■)pk 

and hence 

Tip't^f^^i E pot{. ..pot{pot{{\^v. dally{8 + Vip, (p{v,Pip + 2)))g)pi)p2 . . . )pk- 

Since cost{X^x.X) = 1 for any x and X and the ZiOi and pi were chosen arbitrarily, we conclude 
that 

{XiJ.Te)pt/+i Q (A^iT. daUy{8 + vip, ip{v,pip + 2)))g. 
Since p and g were chosen arbitrarily, we can therefore conclude that 

crec(0^)(Ar/.Av.t) Q daUy{l, A^iT. daUy{8 + vip, (f{v,pip + 2))), 
and by Propositions H] and [9l this is a safe t.c. polynomial. □ 

Definition 13. For an ATR term T; A h t :t we define the iime-comp/exity interpretation of t, \\t\\, 
to be the t.c. denotation of Theorem 1161 

Corollary 17 (Soundness for ATR). For every ATR term F; A h t : r, ||t|| is taz/(||r|[)-safe w.r.t. 
||F; A|| and t Q \\t\\. 

6. Second-order polynomial bounds 

Our last goal is to connect time-complexity polynomials to the usual second-order polynomials 
of Kapron and Cook [13] and show that any ATR program is computable in type-2 polynomial 
time. The polynomial here will be in the lengths of the program's arguments, and hence we need 
a semantics of lengths, which lives inside the simple type structure over the time-complexity base 
types. We give a brief outline here, referring the reader to Section 2 of ATS for full details. 

For each ATR- type a we define |(t| by 

|N/,|=Ti |(T — r| = |o-[ — > |t|. 
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S h £ : S h 0" : To 

S, : 7 h X : 7 

(7 « 7 ) r (7 <: 7 ) 



S h p : 7' S h p : 7' 

Shp:b Shg:b Shp:b Shg:b 



Sl-p«g:b ShpVi^ib 
S, X : |cr| h p : |r| S h p : |o" — > r| S h g : |(t| 



S h Ax.p : |(T — i- r| S h : |t| 

Figure 9. Typing rules for length polynomials. The type b is a length base type, 
7 and 7' are any length types, and a and r are any ATR-types. The operation • is 
+ or * and in this rule b is either T or T^j. for some k. 

We are concerned primarily with two kinds of objects in these length- types: the lengths of the 
meanings of ATR programs and the meanings of second-order polynomials. For the former, recall 
that the interpretation of the ATR base types is -ftT = {0,1}*; for any a ^ K, \a\ is defined as 
expected and the length of a function is defined as follows: 

Definition 14. If / is a type-1 fc-ary function, set 

I/I = Ani . . .nfc.max{|/(ui, . . . ,Vk)\ ! yi{\vi\ < rii)}. 

The notion of length for objects of type-level > 2 is much more difficult to pin down; as we do 
not need it here, we omit any discussion of it. 

With the notion of length in hand, we can give the definition of ||a|| promised in Theorem [H 

Definition 15. If a^'"^'---'^^^^^ is an oracle symbol, then 

|j^(bi,...,b,Hb|| ^ Anf^^^(l, Xnf^^\...{l, lnf'=^^(l V |a|(n),|a|(n)))...))). 

The second-order length polynomials are defined by the typing rules in Figure [U there is nothing 
surprising here, and the intended interpretation is just as expected. As with the time-complexity 
types, we define \a\ oc |t| iff o" oc r and |cj| <: |t| iff a <: r. In these rules, a type-context S is an 
assignment of length-types to variables. For an ATR type-context T; A set IP; A| = U(j,..o-)gr;A{|2^l ■ 
|o"|} where for each ATR variable x, |a;| is a new variable symbol. 

Our real concern is with closed ATR programs of the form Xx.t where t is of base type. We know 
that Xx.t C A^x.||t|| = (1, A^xip(. . . (1, Xi,Xkp{P,p)) • • • )) where P and p are base-type polynomials 
over the potential variables x. Since the time-complexity polynomial calculus is just a simple applied 
A-calculus, it is strongly normalizing, and so we can assume that the polynomials are in normal 
form. Thus we start with an analysis of time-complexity polynomials in normal form: 

Lemma 18. Suppose xi : ((cti)), . . . ,Xk ■ {{(^k)) h p : 7 is a i.e. polynomial in normal form. Then p 
has one of the following forms: 

(1) 0*^ for some n > 0; 

(2) pot{pot{. . . pot[pot{vqi)q2) . . . )qt) where v is either an oracle symbol or one of the Xj 's and 
each Qi is in normal form and of potential type (this term is of potential type); 

(3) cost{pot{. . . pot{pot{vqi)q2) ■ ■ ■ )qe) where v is either an oracle symbol or one of the xj 's and 
each qi is in normal form and of potential type (this term is of cost type); 
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(4) qi*q2, 91 + ^2? ^1 V 52 where each qi is in normal form and of base type (this term is of base 
type); 

(5) all-ll; 

(6) (qo, qi) where qo is in normal form and of cost type and qi is in normal form and of potential 
type (this term is of time-complexity type); 

(7) pot(. . . pot{pot{vqi)q2) ■ ■ ■)qe where v is either an oracle symbol or one of the xj 's and each 
qi is in normal form and of potential type (this term is of time-complexity type). 

Note that ^ includes the special case Xj when aj is a base type and in {SP, and (0), i may be 
strictly less than the arity of v. 

Proof. By induction on the typing derivation. □ 

Proposition 19. Suppose p(xi, . . . , x^) is as in Lemma [TS\ a^^ an oracle symbol for i = I, . . . ,k. 
Then p{pot(\\ai\\), . . . , pot(^\\ak\\)) is a second-order polynomial in |qi|, . . . , \ak\. 

Combining the Soundness Theorem (Corollary I17p with Proposition 1191 yields: 

Theorem 20. If _;_ ^ t : t, then t is computable in type-2 polynomial time. 

A word of caution in interpreting this result is in order. The basic feasible functionals of Mehlhorn 
[l^ and Cook and Urquhart 0] are an extension of polynomial-time functions to higher type. They 
live in the full (set-theoretic) type structure and for type- level < 2 are defined as follows. The basic 
model is an oracle Turing machine with function oracles, and the cost of an oracle query is the 
length of the answer. A functional F{f, x) of type-level < 2 is basic feasible if it is computed 
by such an oracle Turing machine with oracle / in time where p is a second-order 

polynomial (this is the characterization of Kapron and Cook [iB]; Ignjatovic and Sharma [l^ give 
a similar characterization for unit-cost oracle queries). Now, ATR is not interpreted in the full type 
structure but rather in the well-tempered semantics discussed in Section 14. li Thus, we have not 
quite yet characterized the basic feasible functionals. However, on ATR-types that are both strict 
and predicative (see Definition [2]) , the well-tempered semantics agrees with the full type structure 
(recalling the discussion after Definition [2l the relevant point here is that no restrictions are made 
on function spaces of strict and predicative type). Thus we conclude: 

Theorem 21. If _;_\- t : t, all variables of t are of strict and predicative type, and t contains no 
oracle symbols, then t defines a basic feasible functional. 

In fact, some ATR programs compute function(al)s that are not basic feasible but are nonetheless 
second-order polynomial-time computable according to Theorem [20l For example, consider the 
following ATR program for the primitive recursion on notation combinator (roughly, foldr for binary 
strings) : 

val prn: ((N, ^ b ^ Nn, ^ Nnj2, N^) ^ (N, ^ b ^ NnJ 
fn fO, fl, a^ 

in X y ^ letrec F : Nn^ ^ ^ Nn^ = 

fn 6 x' ^ if x' then if tox' then fO (d x') y (F b {d x')) 

else fl (d x') y (F b [d x')) 

else a 

in F cqx X end 

This combinator is not basic feasible, because in the full type structure it could be applied to 
arguments with non-trivial growth rates, and this would lead out of the realm of feasibility. However, 
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in ATR the types of the arguments control the growth rates of the functions to which it is apphed 
(specifically, the type of the function argument ensures that it has a "small" growth rate in terms 
of the size of the recursive call). Thus we can have our cake and eat it too: we can define natural 
programming combinators (like prn), but the type system will keep us from using them in a way 
that results in infeasible computations. 

7. Concluding remarks 

In ATS we introduced the formalism ATR which captures the basic feasible functionals at type- 
levels < 2. In the current paper we have extended the formalism to include a broad range of affine 
recursion schemes (plain affine recursive definitions) that allow for more natural programming 
and demonstrated the new formalism by implementing lists of binary strings and insertion- and 
selection-sort. We have extended the original time-complexity semantics of ATS to handle the 
more involved programs expressible via plain affine recursion and shown that these new programs 
do not take use out of the realm of feasibility. We conclude by indicating some possible extensions 
and future research directions: 

Branching recursion. This paper has focused on affine (one-use) recursions, and of course there are 
feasible algorithms that do not fit this mold. Especially germane to the examples of this paper are 
sorting algorithms such as merge-sort and quick-sort that are based on branching recursions. Let 
us consider the latter to see some of what would be involved in adding branching recursion to an 
ATR-like language. Here is a functional version of quick-sort over lists: 

val quicksort = 

fn xs =^ letrec qsort = 

fn ys =^ if (length ys) < 1 then ys 

else let val (pivot , small, big) = partition ys 

in append (qsort small) (cons pivot (qsort big)) end 

in qsort xs end 

We assume that small is the list of items in ys with values < pivot (excluding the pivot item itself), 
and big is the list of items in ys with values > pivot. 

The tightest upper bounds on the sizes of the individual arguments are \small\ < \ys\ and 
\big\ < \ys\, and this only allows us to extract exponential upper bounds on the run-time of this 
definition. In order to establish a polynomial run-time bound one also needs to know that that the 
arguments of the two branches of the recursion satisfy the joint size restriction \smaU\ + 1 big\ < \ys\. 
It is hard to see how to gracefully assert this sort of joint size bound using ATR-style types and 
combinators. Another problem is that in a recursive definition, it may be difficult to know which of 
the various recursive calls can together form a set of branching calls, and hence it may be difficult 
to know what sets of joint size constraints one needs to satisfy to guarantee a polynomial run-time. 

Rather than attempting to handle general feasible branching recursions, we propose investigating 
combinators that express particular fiavors of branching recursions that work well with ATR-style 
types and deal with the problems noted above. Here is a reworked version of quick-sort using a 
possible such combinator, inspired by Blelloch and colleagues' work on the parallel programming 
language NESL [^,4]: 

val quicksort = 

fn xs =^ letrec qsort = 

fn ys =^ if (length ys) < 1 then ys 

else let val (zs, part_idx) = partition ys 
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in concat {map' qsort zs [part_idx, part-idx+1]) end 

in qsort xs end 

Here we assume that partition is defined so that zs is a permutation of ys such that 
zs[i] < zs[part_idx] < zs[j] for any i < part_idx < j, and map' fvs[i, j] maps / over 
[us[0.. vs[i..j—l], vs[j ..{ length zs)—l]]. Notice that in this definition, gsori occurs affinely 

(modulo map') and the aggregate data to the branching recursion (i.e., zs in the map' expression) 
occurs in one place where typing has a chance of constraining its size. Based on this, we claim it 
is quite plausible that a combinator like map' can be integrated into ATR, and thanks to the work 
on NESL we know that such a combinator can express a great many useful divide-and-conquer 
recursions. In fact, NESL uses a parallel map' combinator, so using the NESL work one could do 
a straightforward static analysis of ATR + map'-programs to extract bounds on their parallel time 
complexity. This would fit in very nicely with recent work of Chakravarty et al. 0] on data-parallel 
Haskell. 

Lazy ATR. A version of ATR with lazy evaluation would be very interesting, regardless of whether 
the constructors are strict or lazy (yielding streams). There are many technical challenges in 
analyzing such a system but we expect that the general outline will be the approach we have used 
in this paper. Of course one can implement streams in the current call-by- value setting in standard 
ways (raising the type-level), but a direct lazy implementation of streams is likely to be more 
informative. We expect the analysis of such a lazy-ATR to require an extensive reworking of the 
various semantic models we have discussed here and in ATS. 

Real-number algorithms. ATR is a type-2 language, but here we have focused on type-1 algorithms. 
We are interested in type-2 algorithms, specifically in real-number algorithms as discussed in, e.g.. 



Ko [16(], where real numbers are represented by type-1 oracles. This can be done in either a call- 
by-value setting in which algorithms take a string of length n as input and return something like 
an n-bit approximation of the result, or a lazy setting in which the algorithm returns bits of the 
result on demand. Combined with lazy constructors, the latter would allow us to view real numbers 
themselves as streams; in particular, since real numbers would be base-type objects, we could look 
at operators on real functions. 

Appendix A. Equivalence of the operational semantics and the abstract machine 

SEMANTICS OF ATS 

Here we sketch the proof of equivalence between the abstract-machine semantics for ATR in ATS 
and the evaluation-derivation semantics we have used here. We refer the reader to ATS for a detailed 
definition of the abstract machine. The abstract machine semantics works with configurations of the 
form {t,p,K), where t is an expression, p an environment, and k a (defunctionalized) continuation, 
and defines a transition relation c c' between configurations. Continuations are defined as a 
sequence of keywords, expressions, and environments, always ending in the keyword halt. If k and 
k' are two continuations, we define kk' to be the continuation obtained by deleting the keyword 
halt from k and then concatenating k' to the result. For configurations c and c' we write c c' if 
c = cq ci ■ ■ ■ Cn = c' and c c' if c c' for some n. In the following, z denotes a value. 

Lemma 22. If {t,p,Ko) {z,6,ki), and n' is any continuation, kqk') {z,9,kik'). In 
particular, if {t, p, (halt)) {z, 6, (halt)), then for any continuation k, {t, p, k) {z, 6, k). 

Proposition 23. Iftp i„ z6 then (t,p, (halt)) ^^"^ {z,0, (halt)) for some m < 3n. 
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Proof. By induction on the height of the derivation. Lemma [25] allows us to make use of the 
induction hypothesis. □ 

Lemma 24. If {t,p,KQ) {z,6,k,i), then the transition sequence has an initial segment of the 
form {t, p, kq) {z', 6', kq) for some value z'9' such that tp |„ z'9' . 

Proof. By induction on the length of the transition sequence. □ 
Proposition 25. If (t, p, (halt)) -w" (z, e, (halt)), then tp i„ zO. 

Proof. By Lemma [Ml there are m and £ such that the given transition sequence has the form 
(t,p, (halt)) -^"^ (z', (halt)) (z, 0, (halt)). Since z' is a value, there are no transitions that 
start from (z', (halt)), and so we conclude that ^ = and hence that z'9' = z6. And by 
LemmaUM tp im z'e' = ze. □ 
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